The only surprising bit is this:
+ if (*len < 0) /* This should never happen */
+ *len = 0;
+
So if it never happens, why have it?
I put that in there to flag out an issue in review (which it has).
There was a point where len was actually going negative and causing a
segfault. I put that there to catch that condition long enough for me
to see what was happening to fix it.
Its sort of a policy question. Leaving it may prevent a future segfault
if something starts going wrong again. It would allow us to see bad
output rather than a segfault. Other than that, there is no need. I
will take it out.
With these changes I assume that it is OK to commit to 4.0 after
retesting.